Since April last year, WhatsApp has been using end-to-end encryption which means neither the Facebook-owned company nor third parties can read or listen to them. But how secure are you actually?
WhatsApp uses the Signal Protocol designed by Open Whisper Systems for its own messaging app called Signal. End-to-end encryption comes with forward secrecy and it basically means protection from intrusive governmental surveillance, the police as well as hackers.
Previously, WhatsApp would store the information centrally in an encrypted form. If any authority got a court order asking WhatsApp to give up the information, they could and would have done it because they had access to it. But with end-to-end encryption, they no longer have access. Or so they claim.
This feature comes to you by default. You don't have to turn this feature on and you cannot turn it off either. Encryption means that messages from the sender are scrambled on their journey to the receiver. So no one can intercept the messages and read them. End-to-end encryption or E2EE ensures that a message can only be read by the sender and recipient and not by a middleman. When you send a message, your phone contacts the WhatsApp service and requests an encryption key. It would have to be a unique key for each message because that is what is meant by forward secrecy.
WhatsApp then sends the encryption key back to you and your phone uses the key to encrypt the message and sends it to WhatsApp, which in turn sends it on. It no longer stores any of the messages unlike other messaging services. All this is done automatically. There is no need to set up special secret chats to secure your messages. WhatsApp calls are also end-to-end encrypted. So even WhatsApp or any third party cannot listen in.
A key pair composed of a public key and a private key cryptographically identifies each user. The public key is advertised publicly through the server while the private key remains private on the user's device. You can verify the privacy of your communication by checking this key pair. Go to the contact's info by tapping the name of your friend on the top of the message. Tap on Encryption and you will see a QR code. Scan the code on your friend's phone or ask your buddy to scan the code on your phone. They should be the same.
But every time someone gets a new device, reinstalls the app, or is offline when a message is sent WhatsApp can change his or her identity key pair. This re-encryption and rebroadcast of undelivered messages effectively allows WhatsApp to intercept and read some users' messages. Though WhatsApp gives users the option to be notified when those changes occur, this is vulnerability or a 'backdoor' security breach. WhatsApp admits that this loophole exists, but says this is needed so that the service is not disrupted every time someone changes their phone or a message is not delivered. Some security experts say that this tradeoff is necessary if the app has to be made easy to use.
As if this loophole was not enough, WikiLeaks revealed last week that the CIA and allied intelligence services have managed to bypass WhatsApp's and Signal's encryption on Android phones and collect "audio and message traffic before encryption is applied".
However, despite these security holes, WhatsApp wants to protect your right to have a private conversation when you use their service. Like Apple, these companies are committed to their assurance to you to protect your personal data, security and encryption. If you are really worried about your privacy, use messaging apps such as iMessage, Viber, Line, Allo and Cyber Dust, Signal and Telegram which use end-to-end encryption. However, Facebook Messenger does not encrypt messages.
Send in your computer-related problems to askdoss@abpmail.com with TechTonic as the subject line
